A friend of mine posted on Instagram a picture of a U.S. visa (or something similar; it was probably five years ago) to announce her trip to the U.S., and she took care to blur out sensitive information such as her passport number. But a Gaussian blur is easy to reverse and I successfully unblurred it and told her my discovery. I didn't use any specialized software; it was just Mathematica with its built-in ImageDeconvolve function with guessed parameters for the Gaussian kernel.
I personally recommend blacking out (add a black rectangle) instead of blurring, and if it is a PDF, convert to an image afterwards because too many PDF editors use non-destructive operations to add a new object instead of changing what's underneath.
> I didn't use any specialized software; it was just Mathematica with its built-in ImageDeconvolve function with guessed parameters for the Gaussian kernel.
is one of the most HN comments I've come across recently :)
>"Well, it should be obvious to even the most dimwitted individual, who holds an advanced degree in hyperbolic topology..."
That gave me a laugh. I don't have any experience with Mathematica, but everytime I see it mentioned (usually on HN) I'm amazed at the sheer breadth the system is capable of. The amount of use cases and possibilities blows my mind.
We had a similar issue in Australia as well.
Politicians phone bills are published on the government website in summary form.
Someone in 2017 decided to blank out their phone numbers by changing the phone number text colour to white (same as background).
End result - hundreds of politicians and former prime ministers had their phone numbers leaked.
https://www.abc.net.au/news/2017-03-20/phone-numbers-of-fede...
People used to be able to get the personal information of police officers if they were involved, intentionally or not, in a traffic accident with a police car. They would request for the traffic accident report, and that included the personal information (including home address) of the police officers in the car. I was in QA and I tested the change when it was fixed. It now includes the address of Police HQ when a police officer is involved in a traffic incident.
You can dictionary attack pixelated photos.
With Gaussian kernels, besides deconvolution you can sometimes also dictionary attack them if you have the original font and if the kernel is properly normalized kernel (i.e. most gaussian blurs).
Although I haven't tried, I think there may even be neural network based techniques that can perform even more effectively than a dictionary attack.
Separately, if the image editing tools added sufficient random noise to their mosaic filters they might be able to thwart most of these attacks, or at least make them significantly harder.
It's a total cheat but it is funny how close that can get you to something that might be actually useful.
You'd be surprised at how many times this happens on Government documents with redaction.
:S
Both MS Word and PDF have leaked redacted/removed information in the past. Wasting paper given the severity of some of these leaks is minimal cost.
Firstly because it's a nice mix of analog and digital, and secondly because it's short enough to fit in a tweet - yet extremely secure.
Ministry of Defence redaction policy, https://assets.publishing.service.gov.uk/government/uploads/...
I've seen people use image editors on mobile and they'll "scribble" out sensitive information, but one of the problems is that if you pick the wrong pen it'll blend your strokes so it's not 100% opacity (but on a casual glance it's close enough). You can zoom in and change the contrast of a photo that has been redacted this way and recover information.
Real life document workflows can be really tricky. What if one is required to print or photocopy the obscured document? Devastating for printer's toner or cartridge lifetime... In some cases opaque grayish rectangle does the job.
Which could result in thousands of dollars of loss over decades. Is that really a significant concern? Charge the client for it.
However, I agree that it requires some quick hand in image manipulation software.
That's the most surprising thing I've read today. I assumed it was destructive.
Black/delete (and flatten/rebroadcast) is the only way.
I have this at work, with engineering drawings. With mobile equipment often were not dealing with engineering companies per se, and they won't or don't know how to get us CAD models of their equipment. And we often don't have the equipment on have at the time we need to make drawings.
But if you have a PDF with vector drawings, often a manual, and one or two good dimensions you can make a reasonably accurate model. AutoCAD even makes this easy with the PDFIMPORT function.
More often than I would expect, there's a whole other drawing view either covered by a white box or off-page. Once it looked like it had been drawn over with a white paintbrush tool, and if course the path of that too was also visible.
There was a scandal around 2003 when a TV host took a topless photo, cropped it and shared the cropped photo online. Unfortunately, the software (Photoshop—I think CS3) she used to crop the photo stored the original photo as metadata if you didn't change the original filename. The original (uncropped) photo could be seen in the "Open File" preview dialog when opening the cropped version.
Not cutting it so that it becomes transparent since this may still preserve the color component of the RGBA-pixels, even if it is invisible and blended with a black background.
However, for me, I found it absolutely hilarious and very intelligent despite being obviously extremely... I'm not sure the right description. Young? Modern internet colloquial? Either way, it worked for me.
Also visited his page. Does not disappoint: https://mango.pdf.zone/
It is an excellent stylistic choice for documenting interactions with commonwealth bureaucracy, of course.
It's very tiresome to read, with _way_ too many digressions and jokes.
> The man in question is Tony Abbott, one of Australia’s many former Prime Ministers.
> For security reasons, we try to change our Prime Minister every six months, and to never use the same Prime Minister on multiple websites.
> Harold Holt was another former Prime Minster and we… lost him? He disappeared while going for a swim one morning. This is not a joke. We named Harold Holt Memorial Swim Centre after him. I repeat, this is not a joke.
His skills at hacking are only matched by his wit at writing.
So, either Amadeus didn't fix the issue until it was disclosed here (very very bad) or Qantas didn't update their booking system for a security patch (also very bad).
[0] https://techcrunch.com/2019/01/15/amadeus-airline-booking-vu...
Some airlines just use a single "god mode" account for their whole e-commerce platform because it's cheaper / more convenient for their developers / vendors.
In this case, "hacker" logged in a customer facing portal, this is probably not even an user account in the strict sense of the word.
I am asking as I fail to see how it is not a development issue. If they returned only the data that was needed on the page, it wouldn't expose internal comments or passport IDs.
0: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...
It would be great if anyone can find it, I am certain I got it from HN.
> I said there probably was a book out there about “the basics of IT”, but it wouldn’t help much. I didn’t learn from a book. 13 year old TikTok influencers don’t learn from a book. They just vibe.
> My mum always said when I was growing up that:
> There were “too many buttons” She was afraid to press the buttons, because she didn’t know what they did I can understand that, since grown ups don’t have the sheer dumb hubris of a child, and that’s what makes them afraid of the buttons.
> Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.
> Okay so I didn’t tell the spoon thing to Tony Abbott, but I did tell him what I always told my mum, which was: “Mum you just gotta press all the buttons, to find out what they do”.
My uncle (a sheep farmer) and I discovered that:
1. I was afraid to touch anything in a car engine, but happy to muddle through unfamiliar computer issues
2. He was afraid to click unknown buttons on a computer screen, but comfortable pulling apart and rebuilding an unfamiliar car engine.
In both cases, we were confident because we knew whatever mistake we made we'd be able to reverse it. And in both cases, we were afraid of making a mistake that we couldn't reverse.
1. He was terrified of breaking it, so I told him that there was nothing he could possibly do to it that I couldn't fix. I made sure to sound overly confident -- almost like I was challenging him to break it. That gave him the confidence to do whatever.
2. Every time there was a problem with it, I would Google the answer in front of him, and he'd watch me figure it out in real time. Eventually, he got the confidence to start Googling things himself. The tech support calls dropped off pretty steeply after that.
When I was doing upgrades, I would make the person in question replace a few parts themselves. Usually I would pull out one SIMM chip or PCI card, explain what it did and how it was retained, and then ask them to pull out and replace a similar part themselves.
I found that getting their elbows dirty went a long way toward perceiving computers as things that could be figured out.
“Nobody gives the baby a knife. You give them a spoon” - Mum, when I showed her this.
(which is also insightful, because the 'Mums' I've dealt with are mostly worried that pushing the wrong button will permanently break something, as if they used to sell blenders without safety features or something back in the day)
I can't remember how many times I've heard "I can't log in, the machine is locked", when there is literally 1 button Switch User, and clicking that 1 button does it. "Oh, I didn't think to try that, it said it was locked.."
Entering newlines in a textbox? It's.. shift-enter, or alt-enter, alt-shift-something. Multicursor? It's.. shift-up? Alt-up? You just try 'em. Cat-like
BTW, on a side note, when you try and visit the blog's homepage[0] and scroll down to the bottom, you find a link to an actual (password protected) PDF file called Mango.pdf[1]. The author 'Alex' says the password for the PDF has been embedded in the page and it didn't take me a lot of time to figure the password out from the HTML source[2].
But when I opened the PDF, I was hit with this random string of characters:
cGJhdGVuZ2h5bmd2YmFmLCBsYmggZmJ5aXJxIHpsIHlodnR2IGNobW15ci4gQCB6ci BiYSBnanZnZ3JlIGp2Z3UgbGJoZSBzbmliaGV2Z3IgcXJmZnJlZyBnYiB0cmcgbGJo ZSBlcmpuZXEuIFZnJ2YgeXZ4ciwgYWJnIG4gaXJlbCB0YmJxIGVyam5lcSBmYiBodQ o=
I tried to decode this using every available decoder, but it only throws up random result. Was wondering if any of you smart people here had any idea about this code.
[1] https://mango.pdf.zone/mango.pdf
[2] view-source:https://mango.pdf.zone/
EDIT: SOLVED IT!
As the commenters who replied to me mentioned, this puzzle is double-encoded. I think the trick is to figure out which decoder to use first.
[0] https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false...
BTW, are there any more of such 'puzzle hunt' websites where you could play around and sharpen your decoding skills? Thanks!
I'm pretty sure all the developer did was:
echo json_encode($queryResult);
[1]: https://idiallo.com/blog/how-much-do-you-charge-for-your-wor...
And so I applied for one. And when I received the confirmation document I received the entire batch file. It included passport number, expiry date and other PII of ten random people which would be super valuable in the hands of criminals and such.
And conversely ten random people know my PII
I immediately factory reset the phone. My point being sensitive data leaks all over the place in many ways in today's world.
So well done.
I mean not to call him out but this did happen and he didn't navigate his way out (although that says nothing about his confidence).
https://www.smh.com.au/national/tony-abbott-lost-in-the-outb...
EDIT: To be fair, it's been a decade. Maybe he's worked on his orienteering skills since having that experience?
Abbott was Australia's Trump. Thankfully he lasted in office an even shorter time than the people he replaced.
Killing our nascent Fibre-to-the-Home rollout which had just begun after years of planning by the previous government. We now use problematic mish mash of slow copper instead of fibre (Murdoch wanted this so Tony gave it up for him).
Killing the mining tax for his donors. This would would have returned billions for our country. We could have begun a sovereign wealth fund like Norway who have over $1 Trillion in theirs. Australia also makes minimal profit from gas exports. Qatar exports less than us but their country profits 2600% more per year than Australia.
Domestic buyers on the east coast of Australia now pay one of the highest prices in the world for gas. Double the price our exporters are buying it for (and they have liquefaction and transport costs included).
Abbott was more our McConnell, happy to tear down political norms and standard parliamentary practice while claiming to defend it. He was a "good" opposition leader in that he basically was in opposition to everything proposed by the government, not for good reason, just because.
He didn't last long as an actual leader, because that requires positive actions, not just oppositional or destructive ones.
He won't be missed from our political domain.
His policies were regressive even for the liberal party's right, he was needlessly belligerent as PM, and I didn't like him or vote for his party. However, he wasn't an uneducated or stupid man, and he wasn't an inexperienced political outsider like Trump.
They are written in a similar style, I really love them.
Update: I have been arrested.
Is that just an obvious mistake? Or is there a news flash that we would like to hear more on?
I mean in this particular case, they could have Abbott create an account on their website first, but then, someone else booked the ticket for him so that makes things more complicated (because they don't have an e-mail address), and then there's tickets being booked all over the world, and then loads of people don't have computers or e-mail.
It escalates quickly.
and salty hacker news comments (his words) https://news.ycombinator.com/item?id=14919845
Careless or unwitting information disclosure from APIs—sometimes sensitive, sometimes not—is a real problem.
Q: Should (merely) the number from your passport really be considered a secret?
I really like the bit about learn "the IT", there's no book or anything to be good at computers you just gotta fuck around and find out a bunch.
> Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.
I mean the IT books section of the charity shops is a good example of this, there's so many there for older versions of Office, operating systems, etc.
That said, I had a school book (Structured Computer Organization by Tanenbaum) that explains a lot of the basics of computers. Sure, it's about the Pentium architecture and early JVM and doesn't cover multi-core architecture or using GPU's to crunch numbers, but it goes through a lot of the basics.
Teams of media advisors and a very favorable alliance with the Murdock press have paled in comparison to this one blog post that didn't even have that as an aim.
[0]: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...
'If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place' - Eric Schmidt
I guess they will learn the hard way given that they aren't really 'tech savvy' or internet wise these days.
Its more the airlines fault for making this info so easy to access with what looks like unsensitive info.
Nailed it.
Thinking in perspective now, I regret not going out with it because that ancient application probably cost millions of euro from taxes.
Different people are different.
"Update: I have been arrested." did leave me slightly confused for a while though, probably due to the verbosity making me want to scan read.
I ended up thinking that Instagram was actively removing pictures of boarding passes because I could only find a surprisingly low amount of pictures containing valid Lastname/BookingRef. As for the few pictures available, the references were often either too old, or partially covered.
I'm still wondering if Instagram does remove such photos.
Possibly the best line in an article full of really fantastic lines.
This can be reversed as well, if you do black things out this way: please make sure you're using 100% opacity black. I've managed to retrieve data from plenty "blacked-out" documents simply by playing with contrast and exposure filters in Photoshop because the opacity wasn't set correctly.
That being said it was a really good blog!
YMMV based on nation that issues yours.
> Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport.
> How it works: The Booking Reference on the boarding pass can be used to log in to the airline’s “Manage Booking” page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking.
It's amazing that we have all those security protocols (HTTPS, e2e encryption, secure log-in, etc.) but in the end most of the "hacks" are just people being stupid or manipulated through social engineering.
[0] https://www.abc.net.au/news/2020-09-19/tony-abbott-boarding-...
[1] https://www.abc.net.au/radio/melbourne/programs/drive/alex-h...
Exactly for the reason shown in the article.
I believe right now it is still too difficult to do this in any framework. That's why developers take shortcuts and just expose all entity data or just make a mistake and forget about it.
Does anyone know if such a framework already exists? So per field rights, not per entity rights.
I know postgrest uses it.
While I have no idea how the SSN of a long-dead rock star could ever be useful, I'm certain I still have a copy saved around here somewhere...
No need to do funky Inspect Element magic. Works wonders for reverse engineering how your fancy UI talks to the fancy API to do the fancy things.
If you can't figure out ZAP with HUD, you can alternatively use the Network tab on Chrome and switch to AJAX (if it's something that happens without the page loading)
Are you sure you're on the right website?
At least in Australia, a passport can be used as your primary ID for a lot of stuff such as renting houses, buying mobile phones, connecting services to your home, booking flights, renting cars, etc etc etc.
It shouldn’t work like that.
rofl. Great writer.
Sarcastic PDFs never stop being amusing to me.